Serverless Security: Doing Security in 100 milliseconds

Presented at AppSec USA 2016, Oct. 14, 2016, 9:15 a.m. (45 minutes)

Serverless is the awesome future of cloud computing. This session will focus on practical security approaches for serverless in four key areas: software supply chain, delivery pipeline, data flow, and attack detection.   Serverless is a design pattern gaining a lot of traction in DevOps shops. The serverless pattern allows scale without managing the servers or processes running the application. This is done across the continuum of cloud-from storage as a service to database as a service but the center of serverless is Functions as a Service (FaaS). FaaS offerings on the market include AWS Lambda, Azure Functions, and Google Cloud Functions. Now processes run for milliseconds before being destroyed and then get instantiated for subsequent requests.   Security changes under serverless and our traditional modes of firewalling and hardening all the things just won't cut it. Practices like vulnerability discovery, code scanning and intrusion detection change in a serverless architecture. Other changes for serverless include how applications are built and deployed to how teams are structured.   This session will focus on practical security approaches and the four key areas of serverless security: software supply chain, delivery pipeline, data flow and attack detection. Even if you don't have any experience with serverless, don't worry, in this session we will start with the basics and you will learn what serverless is (it's still being defined) and practical patterns for serverless adoption.

Presenters:

• James Wickett
  James does most of his research and work is at the intersection of the DevOps and Security communities. He works as a Sr. Engineer at Signal Sciences and is a supporter of the Rugged Software and Rugged DevOps movements. Seeing the gap in software testing, James founded an open source project, Gauntlt, to serve as a Rugged Testing Framework. He is the author of the Hands-on Gauntlt book and is a Lynda.com author of the DevOps Fundamentals course (releasing the fall of 2016). He got his start in technology when he founded a startup as a student at University of Oklahoma and since then has worked in environments ranging from large, web-scale enterprises to small, rapid-growth startups. He is a dynamic speaker on topics in DevOps, InfoSec, cloud security, security testing, Rugged DevOps and serverless. James is the creator and founder of the Lonestar Application Security Conference which is the largest annual security conference in Austin, TX. He also runs DevOps Days Austin and is on the global DevOps Days board. He also holds several security certifications including CISSP and GWAPT. In his spare time he is trying to learn how to make a perfect BBQ brisket.

Links:

• https://appsecusa2016.sched.com/event/86wi/serverless-security-doing-security-in-100-milliseconds

Similar Presentations:

• Black Hat USA 2017 / Hacking Serverless Runtimes: Profiling AWS Lambda, Azure Functions, and More
• SAINTCON 2019 / Serverless Security 101
• Texas Cyber Summit 2019 / SS-2048 FaaS track to serverless security